The United States Treasury Department said it suffered a “major cybersecurity incident” that allowed suspected Chinese threat actors to gain remote access to some computers and unclassified documents.
“December 8, 2024 third-party software services provider, BeyondTrust, notified the Treasury Department that an attacker gained access to a key used by the provider to secure a cloud service used to remotely provide technical support to the Treasury. Departmental Office (DO) end-users,” the department said in a letter to the Senate Banking, Housing and Urban Affairs Committee.
“By gaining access to the stolen key, the threat actor was able to override the security of the service, gain remote access to certain Treasury DO users’ workstations, and gain access to certain non-classified documents stored by those users.”
The federal agency said it was working with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) and that available evidence suggested it was the work of an unnamed government-sponsored Advanced Persistent Threat (APT) organization. an actor from China.
The Treasury Department also said it had disabled the BeyondTrust service, adding that there was no evidence that threat actors had access to the environment.
Earlier this month, BeyondTrust revealed that it was the victim of a digital intrusion that allowed attackers to breach some of the Remote Support SaaS instances.
The company said an investigation into the incident revealed that attackers gained access to the Remote Support SaaS API key, which allowed them to reset passwords for local application accounts. BeyondTrust has not yet disclosed how the key was obtained.
“BeyondTrust immediately revoked the API key, notified the known affected customers, and suspended those instances the same day, providing alternative instances of the Remote Support SaaS to those customers,” it said.
The investigation also identified two vulnerabilities in the Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356, CVSS score: 9.8 and CVE-2024-12686, CVSS score: 6.6), the former of which has been added to CISA’s Catalog of Known Vulnerabilities (KEV), citing evidence of active exploitation in the wild nature.
The disclosure comes as several US telecommunications service providers find themselves in the spotlight of another Chinese state-sponsored threat actor. Salt typhoon.
